Defending against future threats: Cloudflare goes post-quantum

There is an expiration date on the cryptography we use every day. It’s not easy to read, but somewhere between 15 or 40 years, a sufficiently powerful quantum computer is expected to be built that will be able to decrypt essentially any encrypted data on the Internet today.

Luckily, there is a solution: post-quantum (PQ) cryptography has been designed to be secure against the threat of quantum computers. Just three months ago, in July 2022, after a six-year worldwide competition, the US National Institute of Standards and Technology (NIST), known for AES and SHA2, announced which post-quantum cryptography they will standardize. NIST plans to publish the final standards in 2024, but we want to help drive early adoption of post-quantum cryptography.

Starting today, as a beta service, all websites and APIs served through Cloudflare support post-quantum hybrid key agreement. This is on by default¹; no need for an opt-in. This means that if your browser/app supports it, the connection to our network is also secure against any future quantum computer.

We offer this post-quantum cryptography free of charge: we believe that post-quantum security should be the new baseline for the Internet.

Deploying post-quantum cryptography seems like a Continue reading

Using Ansible and Packer, From Provisioning to Orchestration

Red Hat Ansible Automation Platform can help you orchestrate, operationalize and govern your hybrid cloud deployments.  In my last public cloud blog, I talked about Two Simple Ways Automation Can Save You Money on Your AWS Bill and similarly to Ashton’s blog Bringing Order to the Cloud: Day 2 Operations in AWS with Ansible, we both wanted to look outside the common public cloud use-case of provisioning and deprovisioning resources and instead look at automating common operational tasks.  For this blog post I want to cover how the Technical Marketing team for Ansible orchestrates a pipeline for demos and workshops with Ansible and how we integrate that with custom AMIs (Amazon Machine Images) created with Packer.  Packer is an open source tool that allows IT operators to standardize and automate the process of building system images.

For some of our self-paced interactive hands-on labs on Ansible.com, we can quickly spin up images in seconds.  In an example automation pipeline we will:

1. Provision a virtual instance.
2. Use Ansible Automation Platform to install an application; in my case, I am literally installing our product Ansible Automation Platform (is that too meta?).
3. After the application Continue reading

Automatic (secure) transmission: taking the pain out of origin connection security

In 2014, Cloudflare set out to encrypt the Internet by introducing Universal SSL. It made getting an SSL/TLS certificate free and easy at a time when doing so was neither free, nor easy. Overnight millions of websites had a secure connection between the user’s browser and Cloudflare.

But getting the connection encrypted from Cloudflare to the customer’s origin server was more complex. Since Cloudflare and all browsers supported SSL/TLS, the connection between the browser and Cloudflare could be instantly secured. But back in 2014 configuring an origin server with an SSL/TLS certificate was complex, expensive, and sometimes not even possible.

And so we relied on users to configure the best security level for their origin server. Later we added a service that detects and recommends the highest level of security for the connection between Cloudflare and the origin server. We also introduced free origin server certificates for customers who didn’t want to get a certificate elsewhere.

Today, we’re going even further. Cloudflare will shortly find the most secure connection possible to our customers’ origin servers and use it, automatically. Doing this correctly, at scale, while not breaking a customer’s service is very complicated. This blog post explains how we are Continue reading

Introducing post-quantum Cloudflare Tunnel

Undoubtedly, one of the big themes in IT for the next decade will be the migration to post-quantum cryptography. From tech giants to small businesses: we will all have to make sure our hardware and software is updated so that our data is protected against the arrival of quantum computers. It seems far away, but it’s not a problem for later: any encrypted data captured today (not protected by post-quantum cryptography) can be broken by a sufficiently powerful quantum computer in the future.

Luckily we’re almost there: after a tremendous worldwide effort by the cryptographic community, we know what will be the gold standard of post-quantum cryptography for the next decades. Release date: somewhere in 2024. Hopefully, for most, the transition will be a simple software update then, but it will not be that simple for everyone: not all software is maintained, and it could well be that hardware needs an upgrade as well. Taking a step back, many companies don’t even have a full list of all software running on their network.

For Cloudflare Tunnel customers, this migration will be much simpler: introducing Post-Quantum Cloudflare Tunnel. In this blog post, first we give an overview of how Cloudflare Tunnel Continue reading

SambaNova ships second-generation AI systems

SambaNova Systems is now shipping the second-generation of its DataScale systems specifically built for AI and machine learning.You may not have heard of SambaNova, a startup led by ex-Oracle/Sun hardware executives and Stanford professors, but its work is likely familiar. The Lawrence Livermore National Laboratory was an early adopter of DataScale and used the systems in its COVID-19 antiviral compound and therapeutic research in 2020.“Our systems were deployed in supercomputers at the Lawrence Livermore National Laboratory, which were then used by various parties for the research and development of COVID-19 antiviral compound and therapeutics,” said Marshall Choy, SambaNova’s senior vice president for products. “So, yes, they were a small part of that. As bad as the pandemic was, at least we got to do something good through it.”To read this article in full, please click here

SambaNova ships second-generation AI systems

SambaNova Systems is now shipping the second-generation of its DataScale systems specifically built for AI and machine learning.You may not have heard of SambaNova, a startup led by ex-Oracle/Sun hardware executives and Stanford professors, but its work is likely familiar. The Lawrence Livermore National Laboratory was an early adopter of DataScale and used the systems in its COVID-19 antiviral compound and therapeutic research in 2020.“Our systems were deployed in supercomputers at the Lawrence Livermore National Laboratory, which were then used by various parties for the research and development of COVID-19 antiviral compound and therapeutics,” said Marshall Choy, SambaNova’s senior vice president for products. “So, yes, they were a small part of that. As bad as the pandemic was, at least we got to do something good through it.”To read this article in full, please click here

netlab EVPN/VXLAN Bridging Example

netlab release 1.3 introduced support for VXLAN transport with static ingress replication and EVPN control plane. Last week we replaced a VLAN trunk with VXLAN transport, now we’ll replace static ingress replication with EVPN control plane.

netlab EVPN/VXLAN Bridging Example

netlab release 1.3 introduced support for VXLAN transport with static ingress replication and EVPN control plane. Last week we replaced a VLAN trunk with VXLAN transport, now we’ll replace static ingress replication with EVPN control plane.

Weekend Reads 093022

Indeed, Juniper Research predicts that operator 5G FWA revenue will reach $24 billion worldwide by 2027, driven essentially by the use of the technology as a fibre replacement for consumer services.

Floppy disks may have gone the way of the dodo and joined other extinct media such as punched cards and paper tape, but some people are apparently still using them, and one company even continues to sell them.

Many companies also have changed how they operate, from having to deal with a more remote hybrid workforce to adapting to supply chains that have yet to completely rebound from the battering they took during the pandemic.

Itâ€s going to be really interesting to see if Comcast, Charter, and the other big cable companies raise prices later this year. The industry has changed, and it doesnâ€t seem as obvious as in the past that cable companies can raise rates and that customers will just begrudgingly go along with it.

Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.

Operator Telefónica and chip firm Qualcomm are putting their heads together Continue reading

Extend SRIOV VFs to Containers

Please read following git wiki

https://github.com/kashif-nawaz/Extending-SRIOV-VFs-to-Containers

Worth Reading: QUIC Is Not a TCP Replacement

Bruce Davie makes an excellent point in his QUIC Is Not a TCP Replacement article – QUIC not a next-generation TCP, it’s a reliable RPC transport protocol.

What Bruce forgot to mention is that we had a production-grade RPC transport protocol for years – SCTP (Stream Control Transmission Protocol) – but it had two shortcomings:

• It wasn’t invented by the right people;
• It used a different IP protocol number and thus upset every ossified middlebox in the Internet. QUIC hides on top of UDP (because adding extra headers makes at least as much sense as junk DNA).

Worth Reading: QUIC Is Not a TCP Replacement

Bruce Davie makes an excellent point in his QUIC Is Not a TCP Replacement article – QUIC not a next-generation TCP, it’s a reliable RPC transport protocol.

What Bruce forgot to mention is that we had a production-grade RPC transport protocol for years – SCTP (Stream Control Transmission Protocol) – but it had two shortcomings:

• It wasn’t invented by the right people;
• It used a different IP protocol number and thus upset every ossified middlebox in the Internet. QUIC hides on top of UDP (because adding extra headers makes at least as much sense as junk DNA).

Dockerize Rails 7 App

In this post, I will show you how to Dockerize your Rails 7 app in a development environment. We will be using Tailwind for the CSS and PostgreSQL for the database. This setup includes hot reloading of assets on file changes which is super nice. Software used in this post Docker -...continue reading

The state of 5G in South Asia 2022, country-by-country guide

The eight nations that constitute South Asia vary enormously in size and economic and technological power: from the tiny landlocked kingdom of Bhutan, population less than 1 million and a GDP of US$2.4 billion, to India with a population of 1.4 billion and a GPD of US$2.6 trillion.But their 5G progress does not match their size and economic power. The two smallest nations—Bhutan and Maldives—both have commercial 5G services. The two largest—India and Pakistan—have yet to get full commercial 5G services. In these and other countries the assignment and allocation to operators of spectrum for 5G are delaying service introduction.[ More from Network World: What is 5G? • When will 5G be available in India? ] 5G in Afghanistan Given the parlous state of the Afghani economy in the wake of the 2021 Taliban takeover and subsequent embargoes, it is hardly surprising that Afghanistan has no 5G services.To read this article in full, please click here

Worth Reading: EVPN/VXLAN with FRR on Linux Hosts

Jeroen Van Bemmel created another interesting netlab topology: EVPN/VXLAN between SR Linux fabric and FRR on Linux hosts based on his work implementing VRFs, VXLAN, and EVPN on FRR in netlab release 1.3.1.

Bonus point: he also described how to do multi-vendor interoperability testing with netlab.

If only he wouldn’t be publishing his articles on a platform that’s almost as user-data-craving as Google.

Worth Reading: EVPN/VXLAN with FRR on Linux Hosts

Jeroen Van Bemmel created another interesting netlab topology: EVPN/VXLAN between SR Linux fabric and FRR on Linux hosts based on his work implementing VRFs, VXLAN, and EVPN on FRR in netlab release 1.3.1.

Bonus point: he also described how to do multi-vendor interoperability testing with netlab.

If only he wouldn’t be publishing his articles on a platform that’s almost as user-data-craving as Google.

Decrypting TLS Traffic with PolarProxy on Client PC

The tutorial provides detailed steps for decrypting HTTPS traffic generated on a client computer with […]

The post Decrypting TLS Traffic with PolarProxy on Client PC first appeared on Brezular's Blog.

Decrypting TLS Traffic with PolarProxy on Client PC

Modular Network OS with Nokia SR Linux

I was lucky enough to have been invited to attend Network Field Day 29 this past September in San Jose, CA. This event brings independent thought leaders together with a number of IT product vendors to share information and opinions. We saw presentations from a pretty full range of vendors — from the chips to observability. It was a great event and worth a few hours to check out the videos. Thanks to Gestalt IT for getting me involved.

Nokia was among the list of high-end companies we saw. No, they don’t make phones any more (though they do market their name to products), but they are still in the full-power, throw-packets-as-fast-as-you-can markets for hyperscalers and such. If you’re old like I am, you might remember Nokia as the hardware that Checkpoint ran on for a while. My brain has done its best to filter memories of those devices, but, luckily, the Nokia team is doing some much better things these days.

SR Linux was one of the focuses and the big hitter for me. This is a modernization of the SR OS that was introduced 20 years or so ago, and gets us into a “world of streaming telemetry. Continue reading

Interacting with HashiCorp Vault using Python

In the realm of data security, HashiCorp Vault emerges as a formidable tool for safeguarding sensitive information. Its primary role? To serve as a secure and encrypted repository for your most prized secrets. Whether you choose to manage it independently through the open-source option or opt for the convenience of HashiCorp Cloud Platform's SaaS solution, Vault stands as a reliable guardian of your data, ensuring confidentiality and integrity are upheld with every interaction.

The Vault HTTP API serves as a versatile gateway, granting comprehensive control over Vault's functionalities through simple HTTP requests. Whether you're delving into secrets management or tackling encryption tasks, this API opens the door to Vault's full potential. And for Python enthusiasts like myself, there's an added layer of convenience: a meticulously crafted Python SDK, complete with thorough documentation, streamlining interactions with Vault.

In this blog post, we'll embark on a journey to set up a self-managed instance of Vault, exploring how to seamlessly integrate Python for streamlined interaction with the platform.

Installation

We'll kick start our Vault journey by spinning up an instance using Docker. To achieve this, we'll craft a docker-compose.yml file to orchestrate the process:

version: "3.9"
services:
  hashicorp-vault:
    build: .
    ports:
       Continue reading